70 likes | 458 Views
SSO Best Practices. Suchin Rengan Principal Technical Architect Salesforce.com . Best Practices (Delegated Authentication). Implement DA mechanism only if SAML/OAuth is not deemed appropriate Delegated Authentication needs custom development and thereby maintenance and support
E N D
SSO Best Practices Suchin Rengan Principal Technical Architect Salesforce.com
Best Practices (Delegated Authentication) • Implement DA mechanism only if SAML/OAuth is not deemed appropriate • Delegated Authentication needs custom development and thereby maintenance and support • Delegated Authentication is not an industry standard • Implementation considerations such as result must be returned within 10 seconds of request, else the request fails • Recommendation is not to enable this on System Administrator’s profile, since during an outage, there needs to be way for Sys Admins to log in
Best Practices (Delegated Authentication) • Implement using existing skill set within organization • Java/.NET skills • Make sure appropriate testing has been performed to handle large number of concurrent logins • Host the Delegated Authentication web service on a high available platform • Incorporate fault tolerance, load balancing and failover strategies • Reuse token/ credentials that adhere to corporate standards • Leverage existing credential store and services that can validate/ authenticate tokens
Best Practices (SAML) • Make sure the IDP is on a high available environment • Incorporate fault tolerance, load balancing and failover strategies • Use Federation Id instead of Salesforce username as subject Id for performance • Identity based on login and no mapping required to know Salesforce username • Login post is org specific and hence no time needed by Salesforce to resolve org instance • If using username then pass it in Attribute instead of Subject, this helps accomplish posting token to an instance URL
Best Practices (SAML) • Be proactive with regards to certificate (Salesforce and client) expirations • Schedule maintenance window prior to expiration to refresh certificates
Best Practices (SAML) • Disabling users from directly logging into SF if SAML is enabled • Implement Delegated Authentication service that will always return a ‘false’ • Use MyDomains feature to restrict users from logging in directly • Implement custom logout, error pages to present custom messages instead of defaults • Leverage the corporate branded pages as appropriate with messages indicating whom to contact in case of errors
Best Practices (SAML) • Check for any time skews that may lead to inconsistent timeout/ session creation issues • Salesforce.com allows a maximum of three minutes for clock skew with your IDP server, make sure your server's clock is up-to-date • Perform periodic testing to make sure that the time skew is within couple of minutes • A quick process can be written to fetch times from the IdP and SF (getServerTimeStamp() ) and get the difference to make sure it is within limits